topic Can't traceroute through ASA - 9.8 in Network Security

Can't traceroute through ASA - 9.8

smartnet1234 — Fri, 21 Feb 2020 15:40:51 GMT

Hi, i have tried everything provided on this platform related to this issue but i still can not traceroute through ASA. Only the last, or sometimes the second last hop is shown. Please help as i have done everything i could.

We have two security-level 100 interfaces namely 'inside' and 'wan'. When the users from inside tries to traceroute to wan users, the traceroute hops are never seen until the last hop.

Configuration and traceroute screen shots are attached.

It used to show traceroute of 8.8.8.8 before but now not even that is shown through trace.

Re: Can't traceroute through ASA - 9.8

Marius Gunnerud — Sat, 28 Apr 2018 07:58:05 GMT

You are applying the access list to the interfaces that are not defined in the routing configuration

access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit icmp any any unreachable

access-group outside_access_in in interface cybernet
access-group outside_access_in in interface multinet

route wan 192.168.64.0 255.255.254.0 172.16.20.5 1

Re: Can't traceroute through ASA - 9.8

fayk1988 — Sat, 28 Apr 2018 09:14:37 GMT

But, i have applied the following to the 'inside' and 'wan'. Shouldn't that be enough to get traceroute to work between them?

access-list inside_access_in extended permit ip any any

access-group inside_access_in in interface inside
access-group inside_access_in in interface wan

Re: Can't traceroute through ASA - 9.8

fayk1988 — Sat, 28 Apr 2018 09:19:08 GMT

I cut the following route configuration from the one i attached for hiding my IP addresses. The below route configuration is correct. Dont worry aboue the default routes. They are there. Im worried about 'wan' and 'inside' interfaces because between them the traceroute is not working.

route cybernet 0.0.0.0 0.0.0.0 x.x.x.x 1
route multinet 0.0.0.0 0.0.0.0 x.x.x.x 1
route wan 10.0.0.0 255.0.0.0 172.16.20.5 1
route wan 172.16.20.0 255.255.255.252 172.16.20.5 1
route wan 192.168.8.0 255.255.252.0 172.16.20.5 1
route wan 192.168.64.0 255.255.254.0 172.16.20.5 1
route wan 192.168.66.0 255.255.255.0 172.16.20.5 1
route wan 192.168.67.0 255.255.255.0 172.16.20.5 1
route wan 192.168.68.0 255.255.255.0 172.16.20.5 1
route wan 192.168.69.0 255.255.255.0 172.16.20.5 1
route wan 192.168.70.0 255.255.255.0 172.16.20.5 1
route wan 192.168.90.0 255.255.255.0 172.16.20.5 1

Re: Can't traceroute through ASA - 9.8

Marius Gunnerud — Sat, 28 Apr 2018 19:36:24 GMT

Have you verified that traceroute is not being dropped in FirePOWER?

Re: Can't traceroute through ASA - 9.8

Florin Barhala — Mon, 30 Apr 2018 07:19:49 GMT

What's the fastest/recommended way to check this?

Re: Can't traceroute through ASA - 9.8

Marius Gunnerud — Mon, 30 Apr 2018 07:26:44 GMT

You could log into the FirePOWER cli and run the command system support firewall-engine-debug, enter server and client IP, leave all else blank. then run a test. You might also be able to see this under the Analysis tab if you search for the spesified initiator IP under Connection events.

Re: Can't traceroute through ASA - 9.8

smartnet1234 — Mon, 30 Apr 2018 11:32:14 GMT

Yes, it was getting dropped at the SFR. Problem resolved.